The default digest algorithm used to sign certificates. You may want to use
"sha256" for older (pre-2010) clients. Note that this setting is also
used by the init_ca command, so if you have any clients that do not
understand sha512 hashes, you should change this beforehand.

CA_DIR

Default: "ca/files"

Where the root certificate is stored. The default is a files directory
in the same location as your manage.py file.

CA_NOTIFICATION_DAYS

Default: [14,7,3,1,]

Days before expiry that certificate watchers will receive notifications. By default, watchers
will receive notifications 14, seven, three and one days before expiry.

Profiles determine the default values for the keyUsage, extendedKeyUsage x509
extensions. In short, they determine how your certificate can be used, be it for server and/or
client authentication, e-mail signing or anything else. By default, django-ca provides these
profiles:

Profile

keyUsage

extendedKeyUsage

client

digitalSignature

clientAuth

server

digitalSignature, keyAgreement
keyEncipherment

clientAuth, serverAuth

webserver

digitalSignature, keyAgreement
keyEncipherment

serverAuth

enduser

dataEncipherment, digitalSignature,
keyEncipherment

clientAuth,
emailProtection,
codeSigning

ocsp

nonRepudiation, talSignature,
keyEncipherment

OCSPSigning

Further more,

The keyUsage attribute is marked as critical.

The extendedKeyUsage attribute is marked as non-critical.

This should be fine for most usecases. But you can use the CA_PROFILES
setting to either update or disable existing profiles or add new profiles
that you like. For that, set CA_PROFILES to a dictionary with the keys
defining the profile name and the value being either:

None to disable an existing profile.

A dictionary defining the profile. If the name of the profile is an
existing profile, the dictionary is updated, so you can ommit a value to
leave it as the default. The possible keys are:

key

Description

"keyUsage"

The keyUsage X509 extension.

"extendedKeyUsage"

The extendedKeyUsage X509 extension.

"desc"

A human-readable description, shows up with “sing_cert -h” and in the
webinterface profile selection.

"subject"

The default subject to use. If ommited, CA_DEFAULT_SUBJECT is
used.

"cn_in_san"

If to include the CommonName in the subjectAltName by default. The
default value is True.

Here is a full example:

CA_PROFILES={'client':{'desc':_('Nice description.'),'keyUsage':{'critical':True,'value':['digitalSignature',],},'extendedKeyUsage':{'critical':False,'value':['clientAuth',],},'subject':{'C':'AT','L':'Vienna',}},# We really don't like the "ocsp" profile, so we remove it.'ocsp':None,}